SQLite Image Database Schema v1.5

Analysis Process Metadata Tables

db_info

Contains metadata about the software that produced the image database.

• name - Name of the software, e.g., DBSchema, Sleuth Kit, etc. (TEXT)
• version - Version of the software, e.g., 1.5, 4.0.0, etc. (TEXT)

modules

Contains one row for each module used to produce the image database.

• module_id - Id assigned to the module (INTEGER)
• name - Name of the module (TEXT)
• description - Description of the module (TEXT)

module_status

Contains one row for each status code returned by the modules in the file analysis pipeline.

• module_id - Id assigned to the module (INTEGER - foreign key, modules)
• file_id - Id assigned to the file the module analyzed (INTEGER - foreign key, files)
• status - Status reported by the module on completion of its analysis of the file (INTEGER - TskModule::Status)

Image Tables

image_info

Contains one row for each image in the set of images analyzed to produce the image database. There will be more than one row in this table for split images.

• type - Disk image file type (INTEGER - TSK_IMG_TYPE_ENUM)
• ssize - Block (sector) size of imaged device in bytes (INTEGER)

img_names

Contains one row for each image in the set of images analyzed to produce the image database. There will be more than one row in this table for split images.

• name - Image file path (TEXT)
• seq - Sequence number, counting up from one, of the image within the image set (INTEGER)

Volume / Partition Tables

vol_info

Contains one row for every volume/partition in the set of images analyzed to produce the database.

• vol_id - Id assigned to the volume / partition (INTEGER)
• sect_start - Block (sector) offset of the start of the volume / partition in the image (INTEGER)
• sect_len - Number of blocks (sectors) in the volume / partition (INTEGER)
• description - Description of the volume/partition (TEXT)
• flags - Flags for the the volume/partition (INTEGER - TSK_VS_PART_FLAG_ENUM)

File System Tables

fs_info

Contains one row for for every file system in the set of images analyzed to produce the database.

• fs_id - Id assigned to the file system (INTEGER)
• img_byte_offset - Byte offset of the start of the file system within the image (INTEGER)
• vol_id - Id of the volume/partition where the file system resides (INTEGER - foreign key, vol_info)
• fs_type - File system type (INTEGER - TSK_FS_TYPE_ENUM)
• block_size - Block size in bytes (INTEGER)
• block_count - Number of blocks (INTEGER)
• root_inum - Metadata address of root directory (INTEGER)
• first_inum - First valid metadata address (INTEGER)
• last_inum - Last valid metadata address (INTEGER)

files

Contains one row for for every file found in the set of images analyzed to produce the database.

• file_id - Id assigned to the file (INTEGER)
• par_file_id - Parent file of the file, e.g., a directory for a regular file, an archive file for a derived file (INTEGER - foreign key, files)
• name - File name (TEXT)
• full_path - Path of the file in the image (TEXT)
• size - Size in bytes (INTEGER)
• type_id - File classification by image analysis system, e.g., file system file, carved file, etc. (INTEGER - TSK_DB_FILES_TYPE_ENUM)
• dir_type - File type as specified in the directory metadata structure, e.g., directory, regular file, etc. (INTEGER - TSK_FS_NAME_TYPE_ENUM)
• meta_type - File meta-type, e.g., directory, regular file, etc. (INTEGER - TSK_FS_META_TYPE_ENUM)
• dir_flags - Allocation status (INTEGER - TSK_FS_NAME_FLAG_ENUM)
• meta_flags - File metadata structure flags (INTEGER - TSK_FS_META_FLAG_ENUM)
• ctime - Last file / metadata status change time as seconds since Jan 1, 1970 UTC (INTEGER)
• crtime - Create time (INTEGER)
• atime - Access time (INTEGER)
• mtime - Modification time (INTEGER)
• mode - Unix-style file permissions (INTEGER - TSK_FS_META_MODE_ENUM)
• uid - Owner id (INTEGER)
• gid - Group id (INTEGER)
• status - Analysis status (INTEGER - TskImgDB::FILE_STATUS)

file_hashes

Contains one row of file content hash values for every file found in the set of images analyzed to produce the database. The hash values may be NULL if not computed.

• file_id - Id assigned to the file (INTEGER - foreign key, files)
• md5 - MD5 hash (TEXT)
• sha1 - SHA-1 hash (TEXT)
• sha2_256 - SHA-256 hash (TEXT)
• sha2_512 - SHA-512 hash (TEXT)
• known - Known status as determined by hash database lookups (INTEGER - TskImgDB::KNOWN_STATUS)

fs_files

Contains one row for each file discovered during file system analysis.

• file_id - Id assigned to the file (INTEGER - foreign key, files)
• fs_id - Id of the file system that contained the file (INTEGER - foreign key, fs_info)
• fs_file_id - Id assigned to the file by the file system, e.g., an inode number (INTEGER)
• attr_id - The MFT attribute id of files in NTFS file systems (INTEGER)
• attr_type - The MFT attribute type of files in NTFS file systems (INTEGER - TSK_FS_ATTR_TYPE_ENUM)

fs_blocks

Contains one row for each contiguous run of blocks in a file system file.

• file_id - Id assigned to the file (INTEGER - foreign key, files)
• fs_id - Id assigned to the file system that contains the file (INTEGER - foreign key, fs_info)
• seq - Sequence number, counting up from one, of the run within the set of runs (INTEGER)
• blk_start - Logical block offset of the beginning of the run (INTEGER)
• blk_len - Number of blocks in the run (INTEGER)

alloc_unalloc_map

Contains one row for each contiguous run of unallocated blocks (sectors) in a volume / partition. These runs are used to create unallocated sectors files in preparation for carving.

• unalloc_img_id - Id assigned to the unallocated sectors file that contains the run (INTEGER)
• vol_id - Id of the volume / partition that contains the run (INTEGER - foreign key, vol_info)
• unalloc_img_sect_start - Sector offset of the beginning of the run in the unallocated sectors image file (INTEGER)
• orig_img_sect_start - Sector offset of the beginning of the run in the image (INTEGER)
• sect_len - Length of the run in sectors (INTEGER)

unalloc_img_status

Contains one row for each unallocated sectors file created in preparation for carving.

• unalloc_img_id - Id assigned to the file (INTEGER)
• status - Analysis status (INTEGER - TskImgDB::UNALLOC_IMG_STATUS)

carved_files

Contains one row for each file carved from unallocated space.

• file_id - Id assigned to the file (INTEGER - foreign key, files)
• vol_id - Volume/partition where the carved file resided (INTEGER - foreign key, vol_info)

carved_sectors

Contains one row for each contiguous run of blocks (sectors) of unallocated space used to create carved files.

• file_id - Id assigned to the carved file that contains the run (INTEGER - foreign key, files)
• seq - Sequence number, counting up from one, of the run within the set of runs in the carved file (INTEGER)
• sect_start - Sector offset of the run in the image (INTEGER)
• sect_len - Length of the run in sectors (INTEGER)

unused_sectors

Contains one row for each contiguous run of blocks (sectors) of unallocated space left over after carving. These runs are used to create unused sectors files to pass through the file analysis pipeline.

• file_id - Id assigned to the unused sectors file that contains the run (INTEGER - foreign key, files)
• vol_id - Id of the volume / partition that contains the run (INTEGER - foreign key, vol_info)
• sect_start - Sector offset of the run in the image (INTEGER)
• sect_len - Length of the run in sectors (INTEGER)

derived_files

Contains one row for each file derived from another file, e.g., files extracted from archive files.

• file_id - Id assigned to the file (INTEGER - foreign key, files)
• derivation_details - Unused (TEXT)

Blackboard Tables

blackboard_artifacts

Contains one row for each artifact found in the set of images analyzed to produce the database.

• artifact_id - Id assigned to the artifact (INTEGER)
• obj_id - Id assigned to the file associated with the artifact (INTEGER - foreign key, files)
• artifact_type_id - Id assigned to the type of artifact (INTEGER - foreign key, blackboard_attribute_types)

blackboard_attributes

Stores the values of the name-value pairs that are the attributes associated with an artifact. Only one of the value columns should be populated.

• artifact_id - Id assigned to the artifact (INTEGER)
• source - Source string, should be the name of the module that discovered the artifact (TEXT)
• context - Additional context information (TEXT)
• attribute_type_id - Id for the type of attribute (INTEGER - foreign key, blackboard_attribute_types)
• value_type - The type of the value, serves as discriminant for the union of the value columns ( INTEGER - TskImgDB::VALUE_TYPE)
• value_byte - A blob of binary data (BLOB)
• value_text - A string of text (TEXT)
• value_int32 - An 32-bit integer (INTEGER - 0 by default default)
• value_int64 - A 64-bit integer (INTEGER - 0 by default default)
• value_double - A double (NUMERIC - 0 by default default)
• obj_id - Id assigned to the file associated with the attribute (INTEGER - foreign key, files)

blackboard_artifact_types

Artifact types.

• artifact_type_id - Id assigned to the type (INTEGER)
• type_name - A unique string identifier for the type (TEXT)
• display_name - A human-readable display name for the type (TEXT)

blackboard_attribute_types

Artifact attribute types.

• attribute_type_id - Id assigned to the type (INTEGER)
• type_name - A unique string identifier for the type (TEXT)
• display_name - A human-readable display name for the type (TEXT)